Organizations Urged to Stay Protected from IT Security Threats

Companies should formulate IT security policies and communicate them to their employees, the president of RSA Security tells Ziff Davis Internet Virtual Tradeshow attendees.

Companies must incorporate best IT security practices in their daily routines if they intend to protect data assets and instill confidence in their customers, the CEO of a high-profile data security company told attendees during a keynote speech online Wednesday at the Ziff Davis Internet Virtual Tradeshow.
Art Coviello, CEO and president of RSA Security Inc., told seminar attendees that only about 20 percent of businesses in the United States actually have formulated IT security policies and have communicated them clearly to their employees.
About 40 percent of companies are in the process of developing such policies, he said.

Best-practice IT security policies involve "reasonable and appropriate" controls, Coviello said, over online and internal data access and storage; logging and reporting; employee authentication and levels of permission access; business partner/customer access to company data; and compliance with Sarbanes-Oxley and HIPAA regulations.

"And dont forget one of the most common security problems we see: properly removing data access to former employees," Coviello said.
"Deleting but not de-registering a former employee completely from the companys IT system is one of the biggest headaches there is."
Secure data is a "business enabler," Coviello said, in that it gives customers confidence that their own personal informationif given through an Internet sales transaction, for examplewont be inadvertently made available to outside sources.

"Customers must have the confidence that companies that possess their personal information will handle it with due care and appropriately provide for its security," Coviello quoted Federal Trade Commission Chairwoman Deborah Majorus as saying recently.
Organizations need to come up with a "risk management profile" as a first step in gaining control over security issues and unforeseen problems, Coviello said.
"They need to assess the risks they now have, set some policies, develop a plan, and then implement and evaluate controls [on a daily basis]," he said.
This profile would include assessments of a companys Internet access (both wired and wireless), logging and reporting procedures, data storage and protection, access control of company data and other assets, and employee authentication procedures, Coviello said.
Click here to read more about protecting corporate data.
Risk profiles should be updated annually, Coviello said.
"The penalties for not having this kind of full profile are potentially harsh," Coviello said. "The stakes are being raised all the time. The loss of a companys reputation to security concerns can be absolutely fatal."
Coviello suggested that companies enact best practice policies in the following general areas:Risk Management

Classify data by sensitivity and criticality

Implement appropriate information security controls

Monitor/evaluate controls on an ongoing basis
Authentication

Implement appropriate authentication techniques

Keep authentication mechanisms effective

Protect storage & transmission of authentication information

Control authentication for access to external systems

Develop & enforce a strong password policy

Use multi-factor authentication when strong passwords fail

Use multi-factor authentication for remote access

Use multi-factor authentication for system administrators

Implement single sign-on systems

Control display of information in the log-on procedure

Set up emergency access procedures
Access Control

Integrate access control with effective authentication

Restrict users knowledge of unauthorized functions

Separate security administration functions

Assign individual users unique credentials

Ensure timely user life cycle management

Remove inactive or redundant user accounts

Monitor guest/anonymous user accounts

Grant access rights based on least privilege

Conduct regular reviews of access rights
Data Protection

Use appropriate cryptographic techniques

Employ effective key management procedures

Use stringent root key protection measures

Ensure applications developed with appropriate security controls
Logging and Reporting

Protect logging mechanisms from reactivation or compromise

Ensure logged data is accessible for review

Capture user & event information

Utilize centralized logging

Record significant key events
Coviello currently serves as co-chair of TechNet New England and is a member of TechNets CEO Cyber Security Task Force.
He is also a founding board member of the CSIA (Cyber Security Industry Alliance) and was appointed to co-chair of the National Cyber Security Summits Corporate Governance Task Force, a public-private initiative co-organized by the U.S. Department of Homeland Security and leading industry associations.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz